Windows Server - Cannot add user to Active Directory - A first chance exception of type 'System.Runtime.InteropServices.COMException' occurred in System.DirectoryServices.dll

Asked By waghray on 06-Mar-07 03:51 PM
I am trying to add a user to Active Directory and I get the following
error when debugging:

A first chance exception of type
'System.Runtime.InteropServices.COMException' occurred in
System.DirectoryServices.dll

The code that I am using to add the user is as follows:

[WebMethod]
public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain = "ldap://134.232.200.1:234/
CN=Users,DC=kenweb,DC=local";
DirectoryEntry obDirEntry = null;
try
{
PasswordGenerator passGen = new PasswordGenerator();
string strPwd = passGen.Generate();
Console.WriteLine("Password = " + strPwd);
obDirEntry = new DirectoryEntry(strDomain, strUserName,
strPassword);
DirectoryEntries entries = obDirEntry.Children;
DirectoryEntry obUser = entries.Add("cn="+strEmail,
obUser.Properties["sAMAccountName"].Value = strEmail;
obUser.Properties["userPrincipalName"].Value = strEmail;
obUser.Properties["FullName"].Add(firstName + " " +
lastName);
obUser.Properties["FirstName"].Add(firstName);
obUser.Properties["LastName"].Add(lastName);
obUser.Properties["EmailAddress"].Add(strEmail);
object obRet = obUser.Invoke("SetPassword", strPwd);
obUser.CommitChanges();

}
catch (Exception ex)
{
System.Diagnostics.Trace.TraceWarning(ex.Message);
}
}


Any inputs on how to get this corrected will be very helpful.

Thanks,
Monisha




Joe Kaplan replied on 06-Mar-07 04:40 PM
You need to call CommitChanges on the object before setting the password the
first time, as the SetPassword method assumes the object already exists in
the directory.  You'll also probably need to enable the user after you set
the password as it is likely not going to be enabled by default.

I'd suggest reading ch 10 of our book and getting our code samples from the
website in my signature.  Both are free.  We have a lot of useful details on
user management there that explains stuff exactly like this.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
waghray replied on 06-Mar-07 06:11 PM
Thanks for your response Joe.
When ading users to Active Directory in our environment the password
is required, without which the user will not be added in.  I am going
thru Chapter 10 in your book but even that says the following:

As a result, many typical provisioning processes that create accounts
follow this protocol.
1. Create the account with initial values and commit changes.
2. Use the SetPassword operation to set an initial password.
3. Enable the account and commit changes again.


But in my case I keep getting the following error:
A first chance exception of type
'System.Runtime.InteropServices.COMException' occurred in
System.DirectoryServices.dll

when I try to debug the application.  Here is the code I am using to
add the user:

[WebMethod]
public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain = "ldap://172.21.200.111:389/
CN=Users,DC=accoweb,DC=local";
DirectoryEntry obDirEntry = null;
try
{
Console.WriteLine("here");
obDirEntry = new DirectoryEntry(strDomain, strUserName,
strPassword);
DirectoryEntries entries = obDirEntry.Children;
DirectoryEntry obUser = entries.Add("CN="+strEmail,
obUser.Properties["sAMAccountName"].Value = strEmail;
obUser.Properties["userPrincipalName"].Value = strEmail;
obUser.CommitChanges();

obUser.Properties["givenName"].Add(firstName);
obUser.Properties["sn"].Add(lastName);

obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();
string attrib = "msDS-UserAccountDisabled";

//enable the account
obUser.Properties[attrib].Value = false;
obUser.CommitChanges();
PasswordGenerator passGen = new PasswordGenerator();
string strPwd = passGen.Generate();
object obRet = obUser.Invoke("SetPassword", strPwd);


}
catch (Exception ex)
{
System.Diagnostics.Trace.TraceWarning(ex.Message);
}
}


I will continue going thru your site, in the mean time any other input
will be much appreciated as I am fairly new to creating code to create
users in AD.

Thanks,
Monisha

On Mar 6, 1:40 pm, "Joe Kaplan"
Joe Kaplan replied on 06-Mar-07 07:40 PM
Ok, for one thing, it is a good idea to not have your environment set up to
catch first chance exceptions, as in many cases, those will be handled
caught by the framework itself and may be something it can continue from.
You really should concentrate on the actual crashes.  When you do get a
crash, please report it back here with the full stack trace so that I can
see what went wrong.

In your code below, you are creating the user, then trying to enable him and
then trying to set the password when you just quoted the passage from my
book that says you have to create the user, THEN set the password and
finally enable the user.  Why is that?

Also, you can't use msds-userAccountDisabled unless you are programming
against ADAM.  That attribute doesn't work in in AD.  You didn't mention
this was ADAM, so I wouldn't suggest you try that.  Use the technique from
the book of toggling the disabled bit on userAccountControl.  I'm pretty
sure the complete samples from the code downloads have stuff you can almost
copy and paste.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
waghray replied on 07-Mar-07 02:58 PM
Thanks Joe for your response.  My bad I pasted the code from before I
edited it.  Please find below the exception and the code;

System.Runtime.InteropServices.COMException was caught
Message="Unknown error (0x80005000)"
Source="System.DirectoryServices"
ErrorCode=-2147463168
StackTrace:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean
throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_IsContainer()
at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
at System.DirectoryServices.DirectoryEntries.Add(String name,
String schemaClassName)
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 50

public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain = "ldap://172.21.200.111:389/
CN=Users,DC=accoweb,DC=local";
try
{
DirectoryEntry obDirEntry = new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries = obDirEntry.Children;
DirectoryEntry obUser = entries.Add("cn=TomLew.Users",
obUser.Properties["sAMAccountName"].Value = "Tom Lew";
obUser.Properties["userPrincipalName"].Value = "Tom Lew";


//obUser.Properties["givenName"].Add(firstName);
//obUser.Properties["sn"].Add(lastName);

//obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();

PasswordGenerator passGen = new PasswordGenerator();
string strPwd = passGen.Generate();
object obRet = obUser.Invoke("SetPassword", strPwd);

//enable the account
//int AccountDisabled = 2;
//obUser.Properties["userAccountControl"].Value =
AccountDisabled;
obUser.CommitChanges();

}
catch (Exception ex)
{
System.Diagnostics.Trace.TraceWarning(ex.Message);
Console.WriteLine(ex.StackTrace);
}
}

The error is when trying to add a DirectoryEntries.

Thanks again for your response and input and I know I have ways to go
with this.

Best regards,
Monisha

On Mar 6, 4:40 pm, "Joe Kaplan"
Joe Kaplan replied on 07-Mar-07 03:21 PM
The provider name in the ADsPath must be all upper case "LDAP", not "ldap".

That is also covered in our book in ch 3.  :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
waghray replied on 07-Mar-07 05:58 PM
That worked.  Thanks Joe.
Is it possible to disable the account when creating the user account
itself.  I tried the following but it does not work because our AD
Server is set to have the password as a required field when creating
the user.
public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain =3D "LDAP://172.21.200.111:389/
CN=3DUsers,DC=3Daccoweb,DC=3Dlocal";
const int ADS_UF_ACCOUNTDISABLE =3D 2;
try
{
DirectoryEntry obDirEntry =3D new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries =3D obDirEntry.Children;
DirectoryEntry obUser =3D entries.Add("CN=3DTonyLew",
obDirEntry.SchemaClassName);
obUser.Properties["sAMAccountName"].Value =3D "Tony Lew";
obUser.Properties["userPrincipalName"].Value =3D "Tony Lew";

//disable the account
// int val =3D
(int)obUser.Properties["userAccountControl"].Value;

obUser.Properties["userAccountControl"].Value =3D
ADS_UF_ACCOUNTDISABLE;

//obUser.Properties["givenName"].Add(firstName);
//obUser.Properties["sn"].Add(lastName);

//obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();

PasswordGenerator passGen =3D new PasswordGenerator();
string strPwd =3D passGen.Generate();
object obRet =3D obUser.Invoke("SetPassword", strPwd);

//enable the account
//int AccountDisabled =3D 2;
//obUser.Properties["userAccountControl"].Value =3D
AccountDisabled;
obUser.CommitChanges();

}
catch (Exception ex)
{
System.Diagnostics.Trace.TraceWarning(ex.Message);
Console.WriteLine(ex.StackTrace);
}
}

The exception I get is as follows:
System.DirectoryServices.DirectoryServicesCOMException was caught
Message=3D"The server is unwilling to process the request. (Exception
from HRESULT: 0x80072035)"
Source=3D"System.DirectoryServices"
ErrorCode=3D-2147016651
ExtendedError=3D8311
ExtendedErrorMessage=3D"00002077: SvcErr: DSID-0319051D, problem 5003
(WILL_NOT_PERFORM), data 0\n"
StackTrace:
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 64


Any inputs will be much appreciated.

Thanks and regards,
Monisha






On Mar 7, 12:21 pm, "Joe Kaplan"
g"http://www.directoryprogramming.net
up
om.
can
im
my
on
ty
ut
te
you
ing
ng
me,
ail;
waghray replied on 07-Mar-07 05:59 PM
That worked.  Thanks Joe.
Is it possible to disable the account when creating the user account
itself.  I tried the following but it does not work because our AD
Server is set to have the password as a required field when creating
the user.
public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain =3D "LDAP://172.21.200.111:389/
CN=3DUsers,DC=3Daccoweb,DC=3Dlocal";
const int ADS_UF_ACCOUNTDISABLE =3D 2;
try
{
DirectoryEntry obDirEntry =3D new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries =3D obDirEntry.Children;
DirectoryEntry obUser =3D entries.Add("CN=3DTonyLew",
obDirEntry.SchemaClassName);
obUser.Properties["sAMAccountName"].Value =3D "Tony Lew";
obUser.Properties["userPrincipalName"].Value =3D "Tony Lew";

//disable the account
// int val =3D
(int)obUser.Properties["userAccountControl"].Value;

obUser.Properties["userAccountControl"].Value =3D
ADS_UF_ACCOUNTDISABLE;

//obUser.Properties["givenName"].Add(firstName);
//obUser.Properties["sn"].Add(lastName);

//obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();

PasswordGenerator passGen =3D new PasswordGenerator();
string strPwd =3D passGen.Generate();
object obRet =3D obUser.Invoke("SetPassword", strPwd);

//enable the account
//int AccountDisabled =3D 2;
//obUser.Properties["userAccountControl"].Value =3D
AccountDisabled;
obUser.CommitChanges();

}
catch (Exception ex)
{
System.Diagnostics.Trace.TraceWarning(ex.Message);
Console.WriteLine(ex.StackTrace);
}
}

The exception I get is as follows:
System.DirectoryServices.DirectoryServicesCOMException was caught
Message=3D"The server is unwilling to process the request. (Exception
from HRESULT: 0x80072035)"
Source=3D"System.DirectoryServices"
ErrorCode=3D-2147016651
ExtendedError=3D8311
ExtendedErrorMessage=3D"00002077: SvcErr: DSID-0319051D, problem 5003
(WILL_NOT_PERFORM), data 0\n"
StackTrace:
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 64


Any inputs will be much appreciated.

Thanks and regards,
Monisha

On Mar 7, 12:21 pm, "Joe Kaplan"
g"http://www.directoryprogramming.net
up
om.
can
im
my
on
ty
ut
te
you
ing
ng
me,
ail;
Joe Kaplan replied on 07-Mar-07 07:02 PM
I'm still not sure why you aren't using our code samples, as they show how
to properly toggle the disabled bit.

Basically, you don't need to set the account to be disabled initially as
that is the default.

Because your domain implements a password policy with a minimum length
required, you have to set a password before you can enable the account.
That's why you need the three step process.

After you have set the password, then you can enable the account.  You do
this by flipping the account disabled bit, not by overwriting the whole
value.  Overwriting the whole value will "unset" the other flags and make
the account non-functional.

You might do:

int current = (int) objUser.Properties["userAccountControl"].Value;
in enabled = current | ADS_UF_ACCOUNTDISABLE;
objUser.Properties["userAccountControl"].Value = enabled;
objUser.CommitChanges();

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
That worked.  Thanks Joe.
Is it possible to disable the account when creating the user account
itself.  I tried the following but it does not work because our AD
Server is set to have the password as a required field when creating
the user.
public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain = "LDAP://172.21.200.111:389/
CN=Users,DC=accoweb,DC=local";
const int ADS_UF_ACCOUNTDISABLE = 2;
try
{
DirectoryEntry obDirEntry = new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries = obDirEntry.Children;
DirectoryEntry obUser = entries.Add("CN=TonyLew",
obDirEntry.SchemaClassName);
obUser.Properties["sAMAccountName"].Value = "Tony Lew";
obUser.Properties["userPrincipalName"].Value = "Tony Lew";

//disable the account
// int val =
(int)obUser.Properties["userAccountControl"].Value;

obUser.Properties["userAccountControl"].Value =
ADS_UF_ACCOUNTDISABLE;

//obUser.Properties["givenName"].Add(firstName);
//obUser.Properties["sn"].Add(lastName);

//obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();

PasswordGenerator passGen = new PasswordGenerator();
string strPwd = passGen.Generate();
object obRet = obUser.Invoke("SetPassword", strPwd);

//enable the account
//int AccountDisabled = 2;
//obUser.Properties["userAccountControl"].Value =
AccountDisabled;
obUser.CommitChanges();

}
catch (Exception ex)
{
System.Diagnostics.Trace.TraceWarning(ex.Message);
Console.WriteLine(ex.StackTrace);
}
}

The exception I get is as follows:
System.DirectoryServices.DirectoryServicesCOMException was caught
Message="The server is unwilling to process the request. (Exception
from HRESULT: 0x80072035)"
Source="System.DirectoryServices"
ErrorCode=-2147016651
ExtendedError=8311
ExtendedErrorMessage="00002077: SvcErr: DSID-0319051D, problem 5003
(WILL_NOT_PERFORM), data 0\n"
StackTrace:
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 64


Any inputs will be much appreciated.

Thanks and regards,
Monisha

On Mar 7, 12:21 pm, "Joe Kaplan"
waghray replied on 08-Mar-07 01:33 PM
Joe,
I modified the code based on your input and have also modified the
policy so that the password for the user is no longer needed, but I
still get the following exception:

System.DirectoryServices.DirectoryServicesCOMException was caught
Message=3D"The server is unwilling to process the request. (Exception
from HRESULT: 0x80072035)"
Source=3D"System.DirectoryServices"
ErrorCode=3D-2147016651
ExtendedError=3D8311
ExtendedErrorMessage=3D"00002077: SvcErr: DSID-0319051D, problem 5003
(WILL_NOT_PERFORM), data 0\n"
StackTrace:
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 58

Here is the code I am using:
public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain =3D "LDAP://172.21.200.111:389/
CN=3DUsers,DC=3Daccoweb,DC=3Dlocal";
const int ADS_UF_ACCOUNTDISABLE =3D 2;
try
{
DirectoryEntry obDirEntry =3D new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries =3D obDirEntry.Children;
DirectoryEntry obUser =3D entries.Add("CN=3DTony Lew",
obDirEntry.SchemaClassName);
obUser.Properties["sAMAccountName"].Value =3D "Tony Lew";
obUser.Properties["userPrincipalName"].Value =3D "Tony Lew";


obUser.Properties["givenName"].Add(firstName);
obUser.Properties["sn"].Add(lastName);
obUser.CommitChanges();
PasswordGenerator passGen =3D new PasswordGenerator();
string strPwd =3D passGen.Generate();
obUser.Properties["userPassword"].Value =3D strPwd;
int current =3D (int)
objUser.Properties["userAccountControl"].Value;
int enabled =3D current | ADS_UF_ACCOUNTDISABLE;
obUser.Properties["userAccountControl"].Value =3D enabled;

//obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();

// object obRet =3D obUser.Invoke("SetPassword", strPwd);

}
catch (Exception ex)
{
System.Diagnostics.Trace.TraceWarning(ex.Message);
Console.WriteLine(ex.StackTrace);
}
}

It fails right on the first call to CommitChanges, does not even get
to the part to set the password or enabling the account.  From the AD
interface I can manually create a user without a password so that is
not an issue here, unless I am specifically missing something.  I was
under the impression that I could add the user with disabled status
and then set the password under the old policy where the password was
needed but that did not work either even though the AD interface
allowed me to create a user manually without a password.  Since that
did not work I just changed the policy to check if I can add the user
without a password but from the code it still does not work, however
it works from the AD interface.

I downloaded your Raw and Full Samples and did look thru the code, but
could not seem to figure out something that is significantly missing
in my code.  I am new to this and maybe I am missing something.  As
always your input will be much appreciated.

Best regards,
Monisha

On Mar 7, 4:02 pm, "Joe Kaplan"
g"http://www.directoryprogramming.net
ed
t a
ing
rd
ing
nts
to
e,
il;
Joe Kaplan replied on 08-Mar-07 02:16 PM
Which line does it die on?  Setting the userPassword attribute probably
won't work.  Normally, you have to call SetPassword.

Also, the code I gave you is backward, as it is setting the account to be
disabled.  You need to set it to "not disabled".  Sorry about that.  I wa
trying to respond too quickly.  :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Joe,
I modified the code based on your input and have also modified the
policy so that the password for the user is no longer needed, but I
still get the following exception:

System.DirectoryServices.DirectoryServicesCOMException was caught
Message="The server is unwilling to process the request. (Exception
from HRESULT: 0x80072035)"
Source="System.DirectoryServices"
ErrorCode=-2147016651
ExtendedError=8311
ExtendedErrorMessage="00002077: SvcErr: DSID-0319051D, problem 5003
(WILL_NOT_PERFORM), data 0\n"
StackTrace:
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 58

Here is the code I am using:
public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain = "LDAP://172.21.200.111:389/
CN=Users,DC=accoweb,DC=local";
const int ADS_UF_ACCOUNTDISABLE = 2;
try
{
DirectoryEntry obDirEntry = new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries = obDirEntry.Children;
DirectoryEntry obUser = entries.Add("CN=Tony Lew",
obDirEntry.SchemaClassName);
obUser.Properties["sAMAccountName"].Value = "Tony Lew";
obUser.Properties["userPrincipalName"].Value = "Tony Lew";


obUser.Properties["givenName"].Add(firstName);
obUser.Properties["sn"].Add(lastName);
obUser.CommitChanges();
PasswordGenerator passGen = new PasswordGenerator();
string strPwd = passGen.Generate();
obUser.Properties["userPassword"].Value = strPwd;
int current = (int)
objUser.Properties["userAccountControl"].Value;
int enabled = current | ADS_UF_ACCOUNTDISABLE;
obUser.Properties["userAccountControl"].Value = enabled;

//obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();

// object obRet = obUser.Invoke("SetPassword", strPwd);

}
catch (Exception ex)
{
System.Diagnostics.Trace.TraceWarning(ex.Message);
Console.WriteLine(ex.StackTrace);
}
}

It fails right on the first call to CommitChanges, does not even get
to the part to set the password or enabling the account.  From the AD
interface I can manually create a user without a password so that is
not an issue here, unless I am specifically missing something.  I was
under the impression that I could add the user with disabled status
and then set the password under the old policy where the password was
needed but that did not work either even though the AD interface
allowed me to create a user manually without a password.  Since that
did not work I just changed the policy to check if I can add the user
without a password but from the code it still does not work, however
it works from the AD interface.

I downloaded your Raw and Full Samples and did look thru the code, but
could not seem to figure out something that is significantly missing
in my code.  I am new to this and maybe I am missing something.  As
always your input will be much appreciated.

Best regards,
Monisha

On Mar 7, 4:02 pm, "Joe Kaplan"
waghray replied on 08-Mar-07 02:26 PM
It is not even going that far as to set the password.  It dies at the
CommitChanges call when creating the user:

public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain =3D "LDAP://172.21.200.111:389/
CN=3DUsers,DC=3Daccoweb,DC=3Dlocal";
const int ADS_UF_ACCOUNTDISABLE =3D 2;
try
{
DirectoryEntry obDirEntry =3D new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries =3D obDirEntry.Children;
DirectoryEntry obUser =3D entries.Add("CN=3DTony Lew",
obDirEntry.SchemaClassName);
obUser.Properties["sAMAccountName"].Value =3D "Tony Lew";
obUser.Properties["userPrincipalName"].Value =3D "Tony
Lew";


obUser.Properties["givenName"].Add(firstName);
obUser.Properties["sn"].Add(lastName);
obUser.CommitChanges();  --> HERE IS WHERE IT DIES

The error is:
System.DirectoryServices.DirectoryServicesCOMException was caught
Message=3D"The server is unwilling to process the request. (Exception
from HRESULT: 0x80072035)"
Source=3D"System.DirectoryServices"
ErrorCode=3D-2147016651
ExtendedError=3D8311
ExtendedErrorMessage=3D"00002077: SvcErr: DSID-0319051D, problem 5003
(WILL_NOT_PERFORM), data 0\n"
StackTrace:
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 59

Thanks,
Monisha


On Mar 8, 11:16 am, "Joe Kaplan"
g"http://www.directoryprogramming.net
how
do
ke
I
()
ng
in,
Joe Kaplan replied on 08-Mar-07 02:44 PM
What does this value return?

obDirEntry.SchemaClassName

I would not think that has a value yet.  I'd suggest putting in the string

See if that helps.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
It is not even going that far as to set the password.  It dies at the
CommitChanges call when creating the user:

public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain = "LDAP://172.21.200.111:389/
CN=Users,DC=accoweb,DC=local";
const int ADS_UF_ACCOUNTDISABLE = 2;
try
{
DirectoryEntry obDirEntry = new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries = obDirEntry.Children;
DirectoryEntry obUser = entries.Add("CN=Tony Lew",
obDirEntry.SchemaClassName);
obUser.Properties["sAMAccountName"].Value = "Tony Lew";
obUser.Properties["userPrincipalName"].Value = "Tony
Lew";


obUser.Properties["givenName"].Add(firstName);
obUser.Properties["sn"].Add(lastName);
obUser.CommitChanges();  --> HERE IS WHERE IT DIES

The error is:
System.DirectoryServices.DirectoryServicesCOMException was caught
Message="The server is unwilling to process the request. (Exception
from HRESULT: 0x80072035)"
Source="System.DirectoryServices"
ErrorCode=-2147016651
ExtendedError=8311
ExtendedErrorMessage="00002077: SvcErr: DSID-0319051D, problem 5003
(WILL_NOT_PERFORM), data 0\n"
StackTrace:
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 59

Thanks,
Monisha


On Mar 8, 11:16 am, "Joe Kaplan"
waghray replied on 08-Mar-07 03:05 PM
I got the ading of user to work.  The Setting of Password is throwing
an exception now.  The exception is as follows:

System.Reflection.TargetInvocationException was caught
Message=3D"Exception has been thrown by the target of an invocation."
Source=3D"System.DirectoryServices"
StackTrace:
at System.DirectoryServices.DirectoryEntry.Invoke(String
methodName, Object[] args)
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 62

The code I have now is as follows:

public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain =3D "LDAP://172.21.200.111:389/
CN=3DUsers,DC=3Daccoweb,DC=3Dlocal";
const int ADS_UF_ACCOUNTDISABLE =3D 2;
try
{
DirectoryEntry obDirEntry =3D new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries =3D obDirEntry.Children;
DirectoryEntry obUser =3D entries.Add("CN=3DTony Lew",
obUser.Properties["sAMAccountName"].Value =3D "Tony Lew";
obUser.Properties["userPrincipalName"].Value =3D "Tony Lew";


obUser.Properties["givenName"].Add(firstName);
obUser.Properties["sn"].Add(lastName);
obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();
PasswordGenerator passGen =3D new PasswordGenerator();
string strPwd =3D passGen.Generate();
object obRet =3D obUser.Invoke("SetPassword", new object[]
{ strPwd });  --> HERE IS WHERE IT FAILS
int val =3D
(int)obUser.Properties["userAccountControl"].Value;
int enabled =3D val & ~ADS_UF_ACCOUNTDISABLE;
obUser.Properties["userAccountControl"].Value =3D enabled;

obUser.CommitChanges();

Will check on the policies on the password and the call, but as always
inputs are much appreciated.

Thanks,
Monisha

be
wa
ing"http://www.directoryprogramming.net
w how
as
t=2E
u do
le
make
n,
w";
on
03
Joe Kaplan replied on 08-Mar-07 03:52 PM
Did you read the section in ch 10 about issues with setting passwords?  It
is the most problematic part of AD management with ADSI and we wrote several
pages about the troubleshooting steps.

The bottom line is that the easiest way to get it to work is by using SSL
LDAP, but that requires the DC to have an SSL cert and for you to use a
valid DNS name in your binding string.

What is probably happening is that it is trying to use NetUserSetInfo under
the hood and that is failing for some reason.  The InnerException property
of the TargetInvocationException will contain the exception details.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
I got the ading of user to work.  The Setting of Password is throwing
an exception now.  The exception is as follows:

System.Reflection.TargetInvocationException was caught
Message="Exception has been thrown by the target of an invocation."
Source="System.DirectoryServices"
StackTrace:
at System.DirectoryServices.DirectoryEntry.Invoke(String
methodName, Object[] args)
at AddUser.CreateUser(String strEmail, String firstName, String
lastName, String strUserName, String strPassword) in c:\ETL\AddUser
\App_Code\AddUser.cs:line 62

The code I have now is as follows:

public void CreateUser(string strEmail, string firstName, string
lastName, string strUserName, string strPassword)
{
string strDomain = "LDAP://172.21.200.111:389/
CN=Users,DC=accoweb,DC=local";
const int ADS_UF_ACCOUNTDISABLE = 2;
try
{
DirectoryEntry obDirEntry = new DirectoryEntry(strDomain,
strUserName, strPassword);
DirectoryEntries entries = obDirEntry.Children;
DirectoryEntry obUser = entries.Add("CN=Tony Lew",
obUser.Properties["sAMAccountName"].Value = "Tony Lew";
obUser.Properties["userPrincipalName"].Value = "Tony Lew";


obUser.Properties["givenName"].Add(firstName);
obUser.Properties["sn"].Add(lastName);
obUser.Properties["mail"].Add(strEmail);
obUser.CommitChanges();
PasswordGenerator passGen = new PasswordGenerator();
string strPwd = passGen.Generate();
object obRet = obUser.Invoke("SetPassword", new object[]
{ strPwd });  --> HERE IS WHERE IT FAILS
int val =
(int)obUser.Properties["userAccountControl"].Value;
int enabled = val & ~ADS_UF_ACCOUNTDISABLE;
obUser.Properties["userAccountControl"].Value = enabled;

obUser.CommitChanges();

Will check on the policies on the password and the call, but as always
inputs are much appreciated.

Thanks,
Monisha
waghray replied on 08-Mar-07 04:59 PM
On Mar 8, 12:52 pm, "Joe Kaplan"
ral
er
g"http://www.directoryprogramming.net
ly
on
03
n,
w";
how
ly
gth
You
e;

Joe,
Thanks for all your valueable support and input.  I got it to work and
was able to create a user with password.  You book on this stuff was
also extremely helpful.

Best regards,
Monisha
waghray replied on 08-Mar-07 05:02 PM
Thanks Joe for your valueable input and your book also was extremely
helpful.  I am able to create user, set password and enable the user
account now.  I had to use the DNS name when referring to the AD
server instead of the IP.

Best regards,
Monisha

It
veral
SL
nder
rty
ing"http://www.directoryprogramming.net
n,
on
03
ably
to
I
tion
5003
ing
ain,
Lew";
ed;
AD
as
as
er
but
show
ally
ength
Joe Kaplan replied on 08-Mar-07 05:22 PM
Glad that worked.  Sometimes that is sufficient, but it is always a good
idea to use the DNS name anyway.  It allows Kerberos authentication and also
make SSL possible if SSL is enabled on the DC.

We actually cover that stuff in ch 3, but it isn't online for free.  :(

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
Thanks Joe for your valueable input and your book also was extremely
helpful.  I am able to create user, set password and enable the user
account now.  I had to use the DNS name when referring to the AD
server instead of the IP.

Best regards,
Monisha
yogesh zope replied on 29-Jun-09 09:40 AM
You are required to be a member to post replies.  After logging in or becoming a member, you will be redirected back to this page.